Tag Archives: mobile

This is the second of a three part series on Challenges for Higher Education CIOs – Consumerization of IT.

The particular focus of this challenge is the rise of mobile computing commonly known as “Bring Your Own Device” (BYOD). This trend is changing the education mandate, particularly how faculty teach course materials to their students with mobile devices and how students engage with their schools. This trend also creates a new channel for higher education institutions to engage with their extended communities of students, faculty, researchers and staff. “CIOs must get ahead of the consumerization curve by coming to terms with what is valuable and productive about the influence of consumer IT.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 4)

More and more students and employees demand the option to use their consumer IT devices to work and learn. This blend of work and life, combined with flexible work hours also contributes to an atmosphere where people want to be able to work with the tools of their choice. “Work is no longer a place you go to, and then leave, but an ongoing activity.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 3) Organizations will have no choice but to address the demands of their employees and students. IT departments in particular, play a key role in articulating the IT security impacts of BYOD programs on their organization. Blount explores the Consumerizaton of IT – Security Challenges by describing the challenges, the opportunities and the benefits. “This important trend is not just about new devices; it’s about the entire relationship between IT and its user population.” (Blount, 2011, p. 3) BYOD is not just a technology or device specific issue.

Bernard describes four dimensions of security: physical, data, personnel and operations. (Bernard S. A., 2005, p. 329). These were expanded on by Bernard and Ho into a Security Architecture Framework to eight security layers. (Bernard & Ho, 2007) Their paper used the eight layers to describe the impacts on IT security architecture when organizations implement a BYOD model.

Standardized endpoints with a Block or Disregard policy approach – “tightly coupled” control of all layers of architecture – focus on corporate control – this is a corporate liable model

Move to a ‘loosely coupled’ approach to endpoint management. This is not a endpoint centric approach – focus on policy, culture change and controlling the applications, systems and information layers – requires a BYOD policy to be in place describing responsibilities of employer and employee – this is a blend of a corporate and individual liable model

Expands the scope of support to hybrid model – internal for data, external vendor for endpoint, distributed security, antivirus and data protection

Personnel

Lesser level of employee/student technical ability due to central support, no tax implications as these endpoints are considered equipment, standard user experience and support. Lower costs to create and deliver training on standard endpoints

Higher level of employee/student technical ability due to hybrid support, stipend model may result in income tax implications; potential confusion for users resulting in unsatisfactory service, a BYOD policy must be created. Higher costs to create and deliver training especially about information security

Entire application infrastructure contained to corporate endpoints to limit vulnerabilities and data leakage. Provides employees with only the applications they need and typically with a lesser user experience

Focus on open standards that will run on any endpoint; consideration for future applications (buy or build); strategies needed to separate personal apps from enterprise apps due to the possibility of inappropriate data access

System

Centralized control of access to applications, systems and information using IAM and PKI security, IT controls the access process instead of relying on HR business processes

Strong reliance on HR business processes to timely notify of changes in employee status; IAM is a critical technology and security strategy and needs investment to properly create role based access and remove access in a timely manner

This is a key security layer for UWYT as it restricts physical access to key applications, systems and information. This security layer is compromised as soon as an endpoint is taken out of the physical protection of the corporate workplace.

Physical security is ineffective for BYOD as most of the endpoints are mobile; reliance on the other key security layers is mandatory to reduce risk

Some final overall considerations for moving from a Block/Disregard strategy to a Contain/Enable strategy for BYOD are (ProfitLine, 2011, p. 2):

The major pricing and contractual benefits that are lost when moving to individual liable

The hidden IT support costs and potential user experience issues

The increased security risk and policy ramifications

Each organization needs to consider the impacts of the endpoints supported, the data on those endpoints, identity management, employee/student on-boarding and off-boarding and providing an endpoint independent platform to deliver data and information.

A Proposed Approach to Introduce BYOD for Higher Education

This proposed approach requires executive leadership and strong project management. The project plan should allow for conducting the policy and research activities in parallel. Implementing the Policy and Technology strategies requires budget and resources for successful deployment and ongoing support in a BYOD Contain/Embrace strategy.

Bernnat et al suggest two approaches to accommodate using consumer IT. The first option is the “Bring In” approach. This approach “involves opening the corporate IT environment to private use and letting employees’ digital lives freely enter their work environments.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6) The second option is the “Reach Out” approach. This approach “reaches out to employees, allowing them to use their personal devices – even PC’s – to do their work.” (Bernnat, Acker, Bieber, & Johnson, 2010, p. 6)

Each of these approaches has different resource, policy, support and oversight requirements.

BYOD Management Plan

Resource Alignment

Standardized Policy

Decision Support

Resource Oversight

Bring In Approach

Use existing resources for endpoint management because the endpoints are employer owned

Blount, S. (2011, Aug). the consumerization of IT: security challenges of the new world order. Retrieved from Computer Associates: http://www.ca.com/us/~/media/Files/TechnologyBriefs/Consumerization-of-IT-Tech-Brief.pdf

ProfitLine. (2011). The Hidden Risks of a “Bring you own Device” (BYOD) Mobility Model. Retrieved from ZDNet: http://i.zdnet.com/whitepapers/Profitline_The_Hidden_Risks_of_a_Bring_your_own_Device_BYOD_Mobility_Model_1_19_2011.pdf